The attempt to break into computers of North Korea-watchers across the globe continues. I have been documenting such cases for over a year now. See a history of these efforts here. Below I have posted the most recent efforts (three of them) that have been forwarded to me:
Here is the first malicious email:
———- Forwarded message ———-
From: KoreaSociety <[email protected]>
To: [DELETED]
Date: Fri, 25 Nov 2011 07:24:44 +0000
Subject: Dinner Party
When you click on the “View Invite”, however, you are linking to “desk.reutersnetwork.com/FYI/Inviteviewer.hta”. This is not a friendly link!
Here is the email header for this email:
Return-Path:
Received: from col0-omc4-s4.col0.hotmail.com (col0-omc4-s4.col0.hotmail.com [65.55.34.206])
by mtain-de02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 028C83800009C
for [DELETED]; Fri, 25 Nov 2011 02:24:45 -0500 (EST)
Received: from COL110-W1 ([65.55.34.200]) by col0-omc4-s4.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 24 Nov 2011 23:24:44 -0800
Message-ID: Content-Type: multipart/alternative;
boundary=”_ad1f38f0-b70b-449b-8fe6-1bc6b8b11d2b_”
X-Originating-IP: [121.140.196.242]
From: KoreaSociety
To: [DELETED]
Subject: Dinner Party
Date: Fri, 25 Nov 2011 07:24:44 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Nov 2011 07:24:44.0745 (UTC) FILETIME=[4E0BB390:01CCAB43]
x-aol-global-disposition: G
x-aol-sid: 3039ac1d40ca4ecf42bd7ab9
X-AOL-IP: 65.55.34.206
X-AOL-SPF: domain : hotmail.co.kr SPF : pass
Here is the second malicious email:
———- Forwarded message ———-
From: Allen Gross <[email protected]>
Date: Thu, Nov 17, 2011 at 3:26 PM
Subject: FW:Great Leader,Kim Il Sung:commemorating the “Day of the Sun”
To: [DELETED]I am forwarding the feature column : “Great Leader – Kim Il Sung”
This is written to commemorate the “Day of the Sun”.
I put a high valuation on contents of this column.
I was deeply moved at this writing.
You can read the column on the link below.The Great Leader – Kim Il Sung, commemorating the “Day of the Sun”
I wonder what you think about this writing.
Thanks.regards.
Here is the third malicious email (which came through as a bunch of Russian gibberish):
From: Minaji Tracker <[email protected]> To: <[email protected]> Date: Wed, 30 Nov 2011 07:06:29 +0000 Subject: KORUS FTA жп╧ЦмЬ╠╠Ў╘11тб30хуоШо╒ Ўщжп╧ЗжўиЫ║Іх╚гР╩╙сО╧Ц╡╔мЬ║Ї ╠╗╣юё╛ЄРтрс╒╧Зй╧╧щё╛Їыиус╒╧З╧ЗфЛё╛ҐыЁжмБҐ╩╧ыт╠ ║ґ║ґраюйиоящ║╟╨зи╚пгфзІЧ║╠║ёвРлЛё╗29хуё╘╟ЬмМё╛раюййвІ╪╣б╨з ю╪йЩгїцШ╦ъпёяїиЗ╨мцЯжзё╛тзс╒╧ЗвєраюйЄСй╧╧щцег╟ЎыппйЎмЧ╩НІ╞ё╛©╧рИ с╒╧ЗуЧ╦ўҐЭфзІтраюй╡их║╣╔╠ъжф╡цЄКй╘║ёйЩйўцШраюйЄСяїиЗгИпВ╪єІ╞╣ьЄЁхКс ╒╧ЗЄСй╧╧щё╛Їыиус╒╧З╧ЗфЛ╡╒тр╩╣╧щдзиХ╠╦║ёоЙо╦гИ©Жё╛нрцгюЄа╛оъжп╧З╧З╪ й╧Ц╡╔╣Гл╗вєраюй╪гуъбчюЄ╟╡║ё жВЁжхкё╨бчюЄ╟╡ё╛ҐИиэр╩об╣╠лЛобнГраюй ЄСяїиЗЁЕхКс
The phrase “ЄСяїиЗЁЕхКс” links to “private.neao.biz/FYI/debate.hta”
Here is the email header data:
Return-Path:
Received: from col0-omc4-s11.col0.hotmail.com (col0-omc4-s11.col0.hotmail.com [65.55.34.213])
by mtain-de01.r1000.mx.aol.com (Internet Inbound) with ESMTP id 0F6C63800008A
for ; Wed, 30 Nov 2011 02:06:30 -0500 (EST)
Received: from COL106-W22 ([65.55.34.200]) by col0-omc4-s11.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 29 Nov 2011 23:06:29 -0800
Message-ID: Content-Type: multipart/alternative;
boundary=”_4505d9f9-d2ee-4e0b-8ee8-1d1bcae4a079_”
X-Originating-IP: [112.169.23.105]
From: Minaji Tracker
To: [DELETED]
Subject: KORUS FTA
Date: Wed, 30 Nov 2011 07:06:29 +0000
Importance: Normal
In-Reply-To: References:
,,,, MIME-Version: 1.0
X-OriginalArrivalTime: 30 Nov 2011 07:06:29.0460 (UTC) FILETIME=[95453940:01CCAF2E]
x-aol-global-disposition: G
x-aol-sid: 3039ac1d40c94ed5d5f647c6
X-AOL-IP: 65.55.34.213
X-AOL-SPF: domain : hotmail.com SPF : pass
If you see either of these emails, or variations of them, please do not click on the link. Send them (and the email headers) to me to post so others can be on the lookout.
